Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Symbolic Verification with ProVerif

Download ProVerif from the ProVerif website.

The .pv files corresponding to various combinations of the protocol should be run by the command:

proverif -lib tls-lib <filename>

They use the library tls-lib.pvl provided below.

Generic Library with Threat Model and Protocol Processes

ProVerif Models for TLS 1.2 and TLS 1.3

Understanding the results

ProVerif generates a large amount of output, so you may want to run: proverif -lib tls-lib | tee results.txt | grep ^RESULT which will put all the results in a file results.txt and summarize the success or failure of various security queries. (Warning: verifying this model takes a long time and a significant amount of RAM even on powerful workstations.)

To understand the results, look at the comments above the queries in the PV file. Roughly, the "true" queries correspond to security goals like (Forward) Secrecy, Authenticity, Replay Prevention, and Unique Channel Identifiers for the session keys and for the various data fragments. The "false" queries correspond to queries that we expect to fail; they show that our verification is tight, disabling some of the conditions in our "true" queries would cause them to be false.

Computational Verification with CryptoVerif

Download CryptoVerif from the CryptoVerif website.

The .cv files corresponding to the lemmas on the key schedule and to the protocol should be run by the command:

cryptoverif -lib tls-lib <filename>

They use the library tls-lib.cvl provided below.

Library with assumptions on TLS cryptographic primitives.

The library tls-lib.cvl has been obtained by adding the following primitives tls-primitives.cvl to the standard CryptoVerif library.

Lemmas on the key schedule (Section 6.3)

The protocol

Initial handshake (Section 6.4)

The first file deals with 0.5-RTT and 1-RTT messages. The second one supports only 1-RTT (but proves stronger properties from server to client messages).

Handshake with pre-shared key (Section 6.5)


Record Protocol (Section 6.6)

The first file is the normal record protocol. The last two are variants for 0-RTT messages: one with a replicated receiver, and one with no sender.

Summary of obtained results:

All queries proved.
0.024s (user 0.020s + system 0.004s), max rss 40944K
All queries proved.
0.072s (user 0.072s + system 0.000s), max rss 42544K
All queries proved.
0.060s (user 0.060s + system 0.000s), max rss 39600K
All queries proved.
0.544s (user 0.540s + system 0.004s), max rss 58672K
All queries proved.
115.692s (user 115.572s + system 0.120s), max rss 2293248K
All queries proved.
119.500s (user 119.400s + system 0.100s), max rss 2278192K
All queries proved.
380.880s (user 380.772s + system 0.108s), max rss 1587888K
All queries proved.
0.040s (user 0.036s + system 0.004s), max rss 37632K
All queries proved.
0.036s (user 0.036s + system 0.000s), max rss 40864K
All queries proved.
0.024s (user 0.024s + system 0.000s), max rss 38656K


No description, website, or topics provided.



No releases published


No packages published
You can’t perform that action at this time.